ACL peername
by Natalia
Hi,
i have a problem with ACLs. I will to grant access to IP. my ACL:
olcAccess: to dn.subtree="ou=people,dc=example,dc=de"
by group.exact="cn=lda,ou=Endsysteme,dc=example,dc=de" write
by group.exact="cn=kon,ou=Endsysteme,dc=example,dc=de" read
by peername.ip=127.0.0.1 read
by * none
But i become error:
ldap_modify: Other (e.g., implementation specific) error (80)
additional info: <olcAccess> handler exited with 1
in logs:
conn=1034 op=4 MOD attr=olcAccess olcAccess
Feb 11 13:33:07 ldap slapd2.4[21279]: slapd: line 0: expecting <access> got
"writeby".
Feb 11 13:33:07 ldap slapd2.4[21279]: <access clause> ::= access to <what> [
by <who> [ <access> ] [ <control> ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>]
[filter=<filter>] [attrs=<attrspec>] <attrspec> ::= <attrname>
[val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::=
<attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> |
!<objectClass> | entry | children <who> ::= [ * | anonymous | users | self |
dn[.<dnstyle>]=<DN> ] [ realanonymous | realusers | realself |
realdn[.<dnstyle>]=<DN> ] [dnattr=<attrname>]
[realdnattr=<attrname>]
[group[/<objectclass>[/<attrname>]][.<style>]=<group>]
[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
[dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]] [ssf=<n>]
[transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] <style> ::= exact | regex |
base(Object) <dnstyle> ::= base(Object) | one(level) | sub(tree) | children
| exact | regex <attrstyle> ::= exact | regex | base(Obj
Feb 11 13:33:07 ldap slapd2.4[21279]: conn=1034 op=4 RESULT tag=103 err=80
text=<olcAccess> handler exited with 1
I have OpenLDAP 2.4.22. If i remove "by peername.ip=127.0.0.1 read" it
works.
Thanks for help!
Kind regards
Natalia
12 years, 9 months
question about cn=config replication and security.
by Mailing Lists
Hello.
I'm running a pair of openldap 2.4 servers which replicate cn=config DB in
mirror mode.
Is there a way to configure a RO user (like user from BDB) for cn=config DB,
so should someone get a hold of it's password, and still will not be able to
change the configs ?
Regards.
12 years, 9 months
port level security for auth and anon
by Christopher Louis Jackson
I am looking for help with setup of security with my openldap config.
I currently have RHEL 6 with ldap:// and ldaps:// working for both auth binds and anon binds.
What I want to do is allow anon binds on ldap:// and require authentication over an encrypted stream on ldaps://
my current access is set to:
access to attrs=userPassword
by anonymous auth
by self read
by * none
access to *
by * read
I do not have a security statement in my slapd.conf.
I have tried a few things such as changing the userpassword access to:
access to userPassword
> by anonymous auth sasl_ssf=128 break
> by anonymous auth tls=128
> by self read
but the syntax is not correct and the config will not load with above.
Any help would be great.
Chris Jackson
12 years, 9 months
slapd security based on port
by Chris Jackson
Is it possible to prevent anonymous and unauthenticated binds to ldaps:// 636 but allow them on ldap:// 389?
I want to allow staff to query my ldaps:// outside of my network while requiring them to login to do so but allow anyone to bind (anonymous, unauthenticated, or authenticated) internally on ldaps//: 389.
I know:
Anonymous bind can be disabled by "disallow bind_anon" and Unauthenticated bind mechanism is disabled by default. But if I use "disallow bind_anon it stops in on both ports. I want to stop it just on ldaps://.
Chris Jackson
____________________________________________________________________________________
We won't tell. Get more on shows you hate to love
(and love to hate): Yahoo! TV's Guilty Pleasures list.
http://tv.yahoo.com/collections/265
12 years, 9 months
Login with email ?
by Jarek
Hello!
Is it possible to use email to login to LDAP ?
I'm working on mail management panel where users are identified by
emails. Now I'm searching tree for DN of particular email and then I'm
logging with DN and password, but I'd like to avoid this search if
possible...
best regards
JT.
12 years, 9 months
stopping anonymous access to userPassword
by RAT
I'm unaccustomed to the new (non-slapd.conf) way of adding ACL/ACI's.
I'm trying exclude anonymous access to the password. We've tried this to no affect:
olcAccess: to dn.base="cn=users,dc=lib-mac,dc=local" by * read
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to attrs=userPassword
by self write
by dn.exact="uid=diradmin,cn=users,dc=lib-mac,dc=local" read
by * auth
olcAccess: to dn.subtree=""
by dn.exact="uid=diradmin,cn=users,dc=lib-mac,dc=local" write
by users read
by anonymous auth
Robert Threet
http://yesistilluseperl.blogspot.com/
____________________________________________________________
$65/Hr Job - 25 Openings
Part-Time job ($20-$65/hr). Requirements: Home Internet Access
http://thirdpartyoffers.netzero.net/TGL3231/4d540f18d12d722e5best03duc
12 years, 9 months
slapo-lastbind: warning in doing slapcat
by Marco Pizzoli
Hi list,
I'm using overlay slapo-lastbind using openldap head.
I receive a warning when invoking slapcat to do a full backup of my user
database. This is the output of my job:
[ldap@ldap03 tmp]$ /usr/local/openldap/sbin/slapcat -b "dc=lan,dc=mycorp.it"
-l dump_db_user.ldif
UNKNOWN attributeDescription "AUTHTIMESTAMP" inserted.
The backup seems done correctly.
This warning could be due to an error of mine?
If not, being this a contrib overlay, should I file an ITS anyway?
Thanks
Marco
--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison
12 years, 9 months
The correct way of updating a schema
by E.S. Rosenberg
A package I use recently updated the schema files related to the package,
what is the correct way to go about replacing the schemas that were already
loaded into cn=schema?
My bruteforce solution was most likely not the correct way.
Thanks and best regards,
Eli
12 years, 9 months
DB_CONFIG - Auto remove logs
by ldap@mm.st
This may have been discussed, but i can not seem to find out why the
transaction logs are not getting removed when I use DB_LOG_AUTOREMOVE in
DB_CONFIG. This is on a Redhat 5 openldap 2.3 server.
DB_CONFIG has the following:
set_lg_dir /var/lib/ldap/bdblogs
set_flags DB_LOG_AUTOREMOVE
Doing slapd_db_archive shows about 134 unused files.
I then did the following (is this the correct procedure to use when
updating DB_CONFIG?):
> serivice ldap stop
> Edited DB_CONFIG
> slapd_db_recover
> slapd_db_archive
> service ldap start
The files are still there. I also manually did a checkpoint with
"slapd_db_checkpoint -1" and verified the transaction log time changed.
Reran "slapd_db_archive" and it outputs the same files. I read that
earlier versions required a patch for this to work, but I was not sure
about this one. I'm unclear on when the removal is suppose to take
place, but it doesn't seem to be working.
12 years, 9 months
